The Emsisoft malware research team has discovered a new outbreak of the System Check rogue. Emsisoft Anti-Malware detects this malware as Rogue.Win32.SystemCheck.

System Check is a rogue application, another variant of System Fix, System Restore, Data Restore, Data Recovery, System Recovery, Master Utilities, PC Repair, HDD Repair and System Repair. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %AllUsersProfile%\Application Data\[random].exe
• %AllUsersProfile%\Application Data\[random].exe
• %AllUsersProfile%\Application Data\~[random]
• %AllUsersProfile%\Application Data\~[random]r
• %AllUsersProfile%\Application Data\[random]
• %AppData%\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
• %UserProfile%\Desktop\System Check.lnk
• %Temp%\3.tmp
• %Temp%\smtmp\
• %Temp%\smtmp\2\
• %Temp%\smtmp\4\
• %Temp%\smtmp\1\
• %UserProfile%\Start Menu\Programs\System Check\
• %UserProfile%\Start Menu\Programs\System Check\Uninstall System Check.lnk
• %UserProfile%\Start Menu\Programs\System Check\System Check.lnk

Create/modify registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\policies\system\
  DisableTaskMgr = 01000000

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run\
  [random].exe = %AllUsersProfile%\Application Data\[random].exe

• HKEY_CURRENT_USER\Control Panel\
  nsreg = F82D014F

• HKEY_CURRENT_USER\Control Panel\
  bin = 43003A005C0044006F006…

• HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Download\
  CheckExeSignatures = no

• HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main\
  Use FormSuggest = Yes

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
  Hidden = (empty)
  ShowSuperHidden = (empty)
  TaskbarGlomming = (empty)
  TaskbarGlomLevel = 02000000
  Start_ShowControlPanel = (empty)

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\
  HidNoChangingWallPaperden = 01000000

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Associations\
  LowRiskFileTypess = .zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi; .mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
  SaveZoneInformation = 01000000

• HKEY_CURRENT_USER\softare\Microsoft\Windows\CurrentVersion\Policies\Explorer\
  NoDesktop = 01000000

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\System\
  DisableTaskMgr = 01000000

Screenshots:

To register and uninstall this rogue application, you can try the following serial number, and enter any email:

1203978628012489708290478989147

How to remove the infection of System Check (Rogue.Win32.SystemCheck)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the Super AV. Emsisoft Anti-Malware detects this malware as Rogue.Win32.SuperAV.

Super AV is a rogue application, this is another variant of Antivirii 2011. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %SystemDrive%\xhergjui.exe
• %SystemRoot%\bgmgfhpi.exe

Create/modify registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run\
  Security = %SystemRoot%\bgmgfhpi.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\
  Debugger = %SystemDrive%\xhergjui.exe

Screenshots:

How to remove the infection of Super AV (Rogue.Win32.SuperAV)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the Home Security Solutions. Emsisoft Anti-Malware detects this malware as Rogue.Win32.HomeSecuritySolutions.

Home Security Solutions is a rogue application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %AllUsersProfile%\Application Data\93d79\
• %AllUsersProfile%\Application Data\93d79\Quarantine Items\
• %AllUsersProfile%\Application Data\93d79\HSSSys\
• %AllUsersProfile%\Application Data\93d79\HSS.ico
• %AllUsersProfile%\Application Data\93d79\mozcrt19.dll
• %AllUsersProfile%\Application Data\93d79\sqlite3.dll
• %AllUsersProfile%\Application Data\93d79\HS147.exe
• %AllUsersProfile%\Application Data\HSMGPBWS\
• %AllUsersProfile%\Application Data\HSMGPBWS\HSVNAS.cfg
• %AppData%\Home Security Solutions\
• %AppData%\Home Security Solutions\Instructions.ini
• %AppData%\Home Security Solutions\ScanDisk_.exe
• %AppData%\Home Security Solutions\cookies.sqlite
• %AppData%\Microsoft\Internet Explorer\Quick Launch\Home Security Solutions.lnk
• %UserProfile%\Desktop\Home Security Solutions.lnk
• %UserProfile%\Recent\tjd.sys
• %UserProfile%\Recent\tjd.tmp
• %UserProfile%\Recent\CLSV.exe
• %UserProfile%\Recent\delfile.dll
• %UserProfile%\Recent\dudl.tmp
• %UserProfile%\Recent\eb.sys
• %UserProfile%\Recent\energy.sys
• %UserProfile%\Recent\exec.exe
• %UserProfile%\Recent\exec.tmp
• %UserProfile%\Recent\FW.drv
• %UserProfile%\Recent\gid.tmp
• %UserProfile%\Recent\hymt.sys
• %UserProfile%\Recent\kernel32.drv
• %UserProfile%\Recent\pal.exe
• %UserProfile%\Recent\PE.tmp
• %UserProfile%\Recent\SICKBOY.drv
• %UserProfile%\Recent\std.dll
• %UserProfile%\Start Menu\Home Security Solutions.lnk
• %UserProfile%\Start Menu\Programs\Home Security Solutions.lnk

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\Classes\clsid\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
  (Default)  = Implements DocHostUIHandler
  LocalServer32  = %AllUsersProfile%\Application Data\93d79\HS147.exe
  ProgID  = HS147.DocHostUIHandler

• HKEY_LOCAL_MACHINE\software\Classes\HS147.DocHostUIHandler
  (Default)  = Implements DocHostUIHandler
  Clsid  = {3F2BBC05-40DF-11D2-9455-00104BC936FF}

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Anti-Virus Professional.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntispywarXP2009.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPro_2010.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxppro2009.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiVirus_Pro.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\av360.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cl.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\csc.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\dop.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\frmwrk32.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\gav.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbn976rl.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\homeav2010.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\init32.exe \
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\MalwareRemoval.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ozn695m5.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pav.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pc.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsAuxs.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsGui.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsSvc.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsTray.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\PC_Antispyware2010.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pdfndr.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\PerAvir.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\qh.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Quick Heal.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\QuickHealCleaner.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SafetyKeeper.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Save.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveArmor.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveDefense.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveKeep.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secure Veteran.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\secureveteran.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Security Center.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecurityFighter.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\securitysoldier.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\smart.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartprotector.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\smrtdefp.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SoftSafeness.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\spywarexpguard.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\tapinstall.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustWarrior.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\tsc.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\W3asbas.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\winav.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\windll32.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\windows Police Pro.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpdeluxe.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\xp_antispyware.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe\
  Debugger = svchost.exe

• HKEY_CURRENT_USER\software\3

• HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\
  ltTST = 7F3E0000

• HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Download\
  CheckExeSignatures = no
  RunInvalidSignatures = 01000000

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
  DisallowRun = 01000000

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\
  0 = msseces.exe
  1 = MSASCui.exe
  2 = ekrn.exe
  3 = egui.exe
  4 = avgnt.exe
  5 = avcenter.exe
  6 = avscan.exe
  7 = avgfrw.exe
  8 = avgui.exe
  9 = avgtray.exe
  10 = avgscanx.exe
  11 = avgcfgex.exe
  12 = avgemc.exe
  13 = avgchsvx.exe
  14 = avgcmgr.exe
  15 = avgwdsvc.exe

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run\
  Home Security Solutions = “%AllUsersProfile%\Application Data\93d79\HS147.exe” /s /d

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\RunOnce\
  HSS = “%Temp%\scandsk211d_8016.exe” /cs:1

Screenshots:

To register and uninstall this rogue application, you can try one of the following serial number:

K7LY-R5GU-SI9D-EVFB
K7LY-H4KA-SI9D-U2FD
U2FD-S2LA-H4KA-UEPB

How to remove the infection of Home Security Solutions (Rogue.Win32.HomeSecuritySolutions)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the Security Monitor 2012. Emsisoft Anti-Malware detects this malware as Rogue.Win32.SecurityMonitor2012.

Security Monitor 2012 is a rogue application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %AppData%\Microsoft\Internet Explorer\Quick Launch\Security Monitor.lnk
• %AppData%\Security Monitor\
• %AppData%\Security Monitor\IcoHelp.ico
• %AppData%\Security Monitor\IcoUninstall.ico
• %AppData%\Security Monitor\Security Monitor.exe
• %AppData%\Security Monitor\securityhelper.exe
• %AppData%\Security Monitor\securitymanager.exe
• %AppData%\Security Monitor\IcoActivate.ico
• %UserProfile%\Desktop\Security Monitor.lnk
• %Temp%\aqfitrlxi2.exe
• %Temp%\backd-efq.exe
• %Temp%\brdss.exe
• %Temp%\bzqa43d.exe
• %Temp%\cffd4.exe
• %Temp%\cocksucker.exe
• %Temp%\cosock.exe
• %Temp%\cowceb.exe
• %Temp%\cunifuc.exe
• %Temp%\d20mes.exe
• %Temp%\dc_3.exe
• %Temp%\dd10x10.exe
• %Temp%\ddoll3342.exe
• %Temp%\destroyer.exe
• %Temp%\dffuck.exe
• %Temp%\dkfjd93.exe
• %Temp%\ds7hw.exe
• %Temp%\eelnvd13.exe
• %Temp%\exppdf_w.exe
• %Temp%\fadz43.exe
• %Temp%\fe.exe
• %Temp%\format.exe
• %Temp%\g_dx234.exe
• %Temp%\ggwwef9752.exe
• %Temp%\gpupz2a.exe
• %Temp%\hhbboll_2.exe
• %Temp%\hiphop.exe
• %Temp%\hodeme.exe
• %Temp%\htfad4.exe
• %Temp%\hvipws9.exe
• %Temp%\jdhellwo3.exe
• %Temp%\jkfuckfu.exe
• %Temp%\jofcdks.exe
• %Temp%\kjdh_gf_jjdhgd.exe
• %Temp%\kjh102k3.exe
• %Temp%\kn.a.exe
• %Temp%\kock.exe
• %Temp%\ljts-23.exe
• %Temp%\lkhgg_ea.exe
• %Temp%\lols.exe
• %Temp%\ploper.exe
• %Temp%\poertd.exe
• %Temp%\ppddfcfux.exxe
• %Temp%\protector2.exe
• %Temp%\pswwg3c.exe
• %Temp%\puzpup.exe
• %Temp%\qwedvor.exe
• %Temp%\qwklrvjhqlkj.exe
• %Temp%\r0life.exe
• %Temp%\rator.exe
• %Temp%\rtfme.exe
• %Temp%\safe.exe
• %Temp%\snowif.exe
• %Temp%\sycre.exe
• %Temp%\timem.exe
• %Temp%\tryh-blv.exe
• %Temp%\w32-reno-c.exe
• %Temp%\w32rim_mem.exe
• %Temp%\warsddd_w.exe
• %Temp%\wefgetn_00.exe
• %Temp%\wined.exe
• %Temp%\winifi.exe
• %Temp%\wrcud12.exe
• %Temp%\wrfwe_di.exe
• %Temp%\wwautrsd.exe
• %Temp%\wwwsssgen.exe
• %Temp%\_2.tmp
• %Temp%\1iowieoo.exe
• %Temp%\02c9c3c35bdx5.exe
• %Temp%\8gmsed-bd.exe
• %Temp%\17dkf.exe
• %Temp%\472a10e2ebxd9.exe
• %Temp%\56493.exe
• %Temp%\ae0965a7157cd.exe
• %Temp%\al3erfa3.exe
• %Temp%\alerfa.exe
• %Temp%\alerfa2.exe
• %Temp%\altedf.exe
• %UserProfile%\Start Menu\Programs\Security Monitor.lnk
• %UserProfile%\Start Menu\Programs\Security Monitor\
• %UserProfile%\Start Menu\Programs\Security Monitor\Help Security Monitor.lnk
• %UserProfile%\Start Menu\Programs\Security Monitor\How to Activate Security Monitor.lnk
• %UserProfile%\Start Menu\Programs\Security Monitor\Security Monitor.lnk
• %UserProfile%\Start Menu\Programs\Security Monitor\Activate Security Monitor.lnk

Create new registry entries:

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run\
  Security Monitor = “%AppData%\Security Monitor\Security Monitor.exe” /STARTUP
  Security Monitor 2012 Security = %AppData%\Security Monitor\securitymanager.exe

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Uninstall\Security Monitor\
  DisplayName = Security Monitor
  UninstallString = “%AppData%\Security Monitor\securityhelper.exe” /UNINSTALL
  DisplayIcon = “%AppData%\Security Monitor\securityhelper.exe”,1

• HKEY_CURRENT_USER\software\Security Monitor\
  (Default)  = %AppData%\Security Monitor
  BuyUrl = B65B17E3F9DA41446905D3BE0E550632B225D0DB132371E38F96D84D2B2F05B40CF125…
  uninstaller = %AppData%\Security Monitor\securityhelper.exe
  ADVid = 390
  InstallDir = %AppData%\Security Monitor\
  SoftID = Security Monitor
  ScanSystemOnStartup = 01000000
  AutomaticallyUpdates = 01000000
  BackgroundScan = 01000000
  BackgroundScanTimeout = 01000000
  tb = DB070C0003000E000D00090015002202
  InstNM =%AppData%\Security Monitor\Security Monitor.exe
  LastTimeStamp = FD000000
  LastUpdateDate = 2011/11/23

Screenshots:

How to remove the infection of Security Monitor 2012 (Rogue.Win32.SecurityMonitor2012)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the XP Antivirus 2012 (MultiFakeAV). Emsisoft Anti-Malware detects this malware as Rogue.Win32.MultiFakeAV.

XP Antivirus 2012 is a rogue application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase. This rogue scanner program able to change their name depend on the operating system, on Windows 7 for example, the name is “Win 7 Antispyware 2012“.

Create new files:

• %AllUsersProfile%\Application Data\157850g1p046c522p184r5dtv4q8
• %AppData%\157850g1p046c522p184r5dtv4q8
• %Temp%\157850g1p046c522p184r5dtv4q8
• %UserProfile%\Templates\157850g1p046c522p184r5dtv4q8
• %UserProfile%\Local Settings\Application Data\%random%.exe

Create/modify new registry entries:

• HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\
  command  = “%UserProfile%\Local Settings\Application Data\%random%.exe” -a “C:\Program Files\Mozilla Firefox\firefox.exe”

• HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\
  command  = “%UserProfile%\Local Settings\Application Data\%random%.exe” -a “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode

• HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\
  command  = “%UserProfile%\Local Settings\Application Data\%random%.exe” -a “C:\Program Files\Internet Explorer\iexplore.exe”

• HKEY_CLASSES_ROOT\.exe
  (Default) = exefile

• HKEY_CLASSES_ROOT\.exe\
  Content Type = application/x-msdownload
  DefaultIcon  = %1

• HKEY_CLASSES_ROOT\.exe\shell\open\command
  (Default) = “%UserProfile%\Local Settings\Application Data\%random%.exe” -a “%1″ %*
  IsolatedCommand = “%1″ %*

• HKEY_CLASSES_ROOT\.exe\shell\runas\command
  (Default) = “%1″ %*
  IsolatedCommand = “%1″ %*

• HKEY_CLASSES_ROOT\exefile
  (Default) = Application
  Content Type = application/x-msdownload
  DefaultIcon  = %1

• HKEY_CLASSES_ROOT\exefile\shell\open\command
  (Default) = “%UserProfile%\Local Settings\Application Data\%random%.exe” -a “%1″ %*
  IsolatedCommand = “%1″ %*

• HKEY_CLASSES_ROOT\exefile\shell\runas\command
  (Default) = “%1″ %*
  IsolatedCommand = “%1″ %*

Screenshots:

To register and uninstall this rogue application, you can try the following serial number:

3425-814615-3990

How to remove the infection of XP Antivirus 2012 (MultiFakeAV) (Rogue.Win32.MultiFakeAV)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.